Windows/Network Connection:
- Connection Initiated Via Certutil.EXE
- Equation Editor Network Connection
- Download a File with IMEWDBLD.exe
- Communication To Mega.nz
Windows/System or Application/Service Control Manager:
- Suspicious Service Installation Script
- Turla PNG Dropper Service
- CobaltStrike Service Installations – System
- Windows Defender Threat Detection Disabled – Service
- smbexec.py Service Installation
- Invoke-Obfuscation Obfuscated IEX Invocation – System
- Invoke-Obfuscation STDIN+ Launcher – System
- Invoke-Obfuscation VAR+ Launcher – System
- Anydesk Remote Access Software Service Installation
- Hacktool Service Registration or Execution
Drive Load:
- Usage Of Malicious POORTRY Signed Driver
- PowerShell Scripts Run by Services
Azure/Azure Active Directory:
- Member Added to Group – Azure AD
- Multiple Members Added To Group – Azure AD2
Windows/Image Load:
- Suspicious Unsigned Dbghelp-Dbgcore DLL Loaded
- PCRE.NET Package Image Load
- Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
- Suspicious Interactive PowerShell as SYSTEM
- Suspicious Scheduled Task Write to System32 Tasks
- Suspicious Startup Folder Persistence
Windows/Files:
- UEFI Persistence Via Wpbbin – FileCreation
- WMI Persistence – Script Event Consumer File Write
- Creation of a WerFault.exe in Unusual Folder
- UAC Bypass Using Windows Media Player – File
- UAC Bypass Abusing Winsat Path Parsing – File
- Suspicious Interactive PowerShell as SYSTEM
- Suspicious Scheduled Task Write to System32 Tasks
- Suspicious Startup Folder Persistence
- NPPSpy Hacktool Usage
- Powerup Write Hijack DLL
Fortigate@Fortinet:
- Fortigate Audit – System Changes Outside Working Hours
Windows/Process Creation:
- Certificate Exported Via Certutil.EXE
- Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
- Findstr Suspicious ParentCommandLine
- Use NTFS Short Name in Image
- Sdclt Child Processes
- Potential UAC Bypass Via Sdclt.EXE
Windows/PowerShell:
- Potential Registry Reconnaissance Via PowerShell Script
- PowerShell Set-Acl On Windows Folder – PsScript
- PowerShell Script Change Permission Via Set-Acl – PsScript
365 Defender:
- Collection – 365 Defender
- Defense Evasion – 365 Defender
- Ransomware – 365 Defender
- Credential Access – 365 Defender
Web Cache:
- Potential CVE-2303-36884 URL Request Pattern Traffic
Pulse Connect Secure@Pulse Secure:
- User Connected by VPN Outside Working Hours – Pulse Secure
Windows/Registry:
- UAC Bypass via Sdclt